They Want Your Enterprise Brains: Night of the Botnet of Things

The Internet of Things envisions a programmable world where all machines, all devices, from your toaster to your Toyota, are interconnected via the Internet. Futurists portray a world where you can remotely control all of your devices, right down to in the lights in your home, with the tap of a button, and where you yourself are gently guided by your "smart devices" throughout your daily routine as they measure everything from local traffic and weather to your heart rate.

Unfortunately, it's all hackable.

How easy is hacking the Internet of Things?

Recent headlines have been rife with examples of security backdoors allowing hackers to take control of all manner of smart devices, including televisions, baby monitors, pacemakers, and cars.

Less than a year ago, hackers, doing what they do best, hacked into the climate control system of a New Jersey-based company. If you think that the worst that can happen from such an exploit is a miscreant making your employees uncomfortably hot or cold, think again. In addition to an office floor plan, the hack offered access to a myriad of other sensitive data, including employee names and user names, as well as hashed passwords (which are becoming easier and easier to crack).

What's more, with BYOD policies on the rise, the enterprise will increasingly see "BYOIoT" as employees bring and use other interconnected (and vulnerable) devices that IT departments never dreamed they'd have to worry about. In the meantime, both consumer and enterprise IoT devices have already been hijacked to form a "Botnet of Things" more than 420,000-strong (and that's just a "white hat" one that we actually know about).

IoT security flaws are especially problematic because neither smart device makers nor government officials seem to have the same security culture as the tech community when it comes to vulnerability reporting and acknowledgement. Instead, they frequentlydownplay or even downright failtorespond to security reports regarding critical flaws.

What you can do to secure your network from hacked "smart" devices

Until smart device makers smarten up about security, the onus of guarding against IoT intrusions lies with network managers. The first step is to build and define the IT department's knowledge base of its systems and devices. Use careful auditing procedures to determine what is connected – or can connect – to the organization's network. Security experts urge administrators to identify, track, and monitor everything.

"Build zones and track their interactions," advises Vann Abernethy, senior product manager at NSFOCUS, a web security firm. "[U]nderstand how each system works, how they interrelate and look at all possible vectors." In turn, this will allow IT managers to help prevent intrusions, making it easier to properly authenticate who and what should be connected to the network – and who and what should not be.

Modular, isolationist measures are also essential. Air gaps in particular should be employed with devices that have no good business reason for connecting to the main network. Additionally, administrators should take special precautions with air gaps to bar malware from "jumping" the air gap.